8 Simple Steps to Protect Your Database

By Brian Prince and Chris Preimesberger

Rather than monitor your network, where rogue users can gain untraceable access to your data, monitor your financial databases. Make sure your tools can identify, provide alerts and help you respond to unusual activities on a near real-time basis.

Many databases are vulnerable to unauthorized access due to insufficient patch levels or the use of default or weak passwords. These conditions can leave the door open to unauthorized users who bypass application-level controls and directly alter data.

Database access rights must be regularly reviewed and, if need be, revised to ensure user rights are consistent and properly limited. This is especially important given the rise of self-service applications and direct customer access. The failure to modify-

One of the best defenses against outside attacks and internal fraud is the detection of anomalous activity. Implement database-monitoring tools that distinguish normal and abnormal activities for each user, and that can immediately respond to abnormal activities.

A forensic trail generated through auditing tools can help verify the authenticity of database transactions.

Even trusted users can manipulate standard business practices to perpetrate fraud with special, end-of-period adjustments. Check all individual- and application-sourced changes to financial data to identify odd adjustments. And, verify adjustments with independent monitoring and auditing software, rather than the accounting software that your financial personnel use.

Manual annual audits are expensive, cause seasonal spikes in resource requirements, overburden your staff, introduce errors and slow down other operations. Conversely, an automated, continuous monitoring of key database controls helps you identify issues throughout the year, enables quick resolution of issues and reduces expensive, time-consuming mitigation procedures.

Regulatory compliance requires that some data in the database be encrypted, but all companies should consider encryption as it mitigates risk.